IGT is the global leader in gaming. It is listed on the New York Stock Exchange under the trading symbol IGT, and its holding company headquarters are in the United Kingdom, with operating headquarters in Rome, Italy; Las Vegas, Nevada; and Providence, Rhode Island. The company attracts the industry’s top talents, with more than 11,000 employees across the globe in over 100 countries on 6 continents.
About Kevin DeLange
Kevin DeLange is the global chief information security officer (CISO) at IGT, and he has been with the company for over 17 years. He is responsible for most aspects of cybersecurity, specifically risks, compliance, security architecture, security operations, privacy, and business continuity.
Last week, we had the chance to talk with Kevin DeLange about security awareness. If you’ve missed the webinar, you can watch it here or read some of the key learning points.
1. As a CISO, you must communicate to the board
Reporting to the management and the board is naturally on the list of tasks of a CISO today. At IGT, Kevin reports once or twice a year to the audit board besides frequently reporting to the management. Information security has a lot of visibility on the table of the board, specifically from the risk and business continuity points of view.
Kevin said, “You don’t report statistics to the board. You report trends.”
2. Quickly and seamlessly moving to remote work
With a large operation in China, IGT got in front of the situation. The company adjusted quickly and seamlessly to work from home.
Over the last year, IGT had a significant change in how the security operations should work. Employees are now outside of your normal defense circle, so it was necessary to take a different defense approach.
3. As challenges arise, you deal with them
People working from their own homes was a unique challenge that the team just had to deal with. The IT organization had a lot of work to do in order to enable business continuity when people started working from home.
However, from a security perspective, it was nothing new: you still needed to deal with the same threats.
4. Phishing is by far the largest attack vector
If you look at the statistics, phishing is the largest attack vector not just for IGT but for any other organization. It would be naïve to think that attackers don’t go after you. They are in the business of making a profit by improving their bottom line and success rate. They have started to adopt automation and machine learning to improve the attacks.
5. A mixture of the technical and human layer
For the first line of defense, you need good technology, but you also need a great phishing awareness program. You can’t ignore the human factor. You need to put employees in the proper mindset to act when they see something.
6. A successful awareness program must align with the business
You can’t just drop an awareness program and expect that it will align with the business immediately.
There are a lot of different elements that make a successful awareness program. I always believe that people want to do the right thing; attackers prey on this factor when victims think the email is coming from the right people. You need to prepare them for the dangers of emails.
Also, not everyone learns the same way. A comprehensive solution needs different approaches to spread awareness.
7. To create awareness, you need to practice with real-world scenarios
There is a lot of debate about awareness vs. behavior change.
You must make people aware of threats and help them understand the attacks by practicing real-world scenarios. Without practice, you can’t get users to react properly.
8. You can’t blame the employee if they didn’t receive training
A breach happened as a result of an employee error? Who is to blame? According to Kevin, ‘responsibility is a catch 22.’ You can look at it from many different perspectives. If an employee does something that’s against a policy, there is a personal responsibility. But you can’t blame the users if they have neither the proper training nor the technology (like email-filtering) to back them up.
9. Positive reinforcement and gamification are the way to go
IGT had been working with a number of phishing training vendors over the years.
Most solutions were on schedule, like sending a phishing email monthly. People knew that the simulations were coming. The primary reason IGT moved to Hoxhunt was the different approach to phishing awareness. Although it’s frequent, it is not repetitive or predictable. IGT also wanted to reduce the click rate and create positive interaction for the employees. Hoxhunt offers immediate feedback when an employee fails a simulation, but it’s still a positive nudge toward the correct action. There’s still a “stick,” but it’s done in a positive way.
The gamification aspect was also important. The management liked it, and it scored really high marks for them. In today’s world, gamification is the way to go. The security team has had some great feedback about Hoxhunt, and that’s an indication of doing training the right way.
10. Report the right metrics
IGT gets a lot of metrics from Hoxhunt. They don’t report everything to the upper management, but they have a substantial amount of data at their disposal. The main number the team looks at is the number of employees that click on the simulations. They don’t report metrics such as completed simulations, fail rates, or success rates.
On the threat-reporting side, they report whether real phishing emails or spam people reported.
The team reports the metrics by the country for the competitive aspect of it. Before Hoxhunt, the click rate was around 30%. As of March 2021, a year after starting with Hoxhunt, it’s around 4–5%.
+ 1. There is no real framework for security awareness training
You must align the security awareness training with the business. When you build yours, consider the business’s needs and goals. There’s no real framework or roadmap for doing it. Tailor your program and approach to match your company’s culture. You must have mandatory training; you can’t get away from that. But you also can’t ignore the phishing part of it because it’s such a dominant attack vector.